On Wed, Oct 1, 2014 at 4:16 PM, Dimstar / Dominique Leuenberger
On Wed, 2014-10-01 at 15:53 -0300, Claudio Freire wrote:
On Wed, Oct 1, 2014 at 3:19 PM, Stephan Kulow
wrote: Am 01.10.2014 um 18:10 schrieb Ludwig Nussel:
Changed packages:
As you might have guessed from the length of a changelog: this was quite a job to get out - but finally bash is secure in official repo.
While that can readily be seen, by the time Factory is considered truly a replacement of TW, perhaps security patches shouldn't need full integration to get in?
I still prefer a security fix going through staging that shooting every system down.. even though a shutdown system is the most secure there is, it's not where we're heading to.
My point is more that, the security team gets a heads-up on patches, and this testing should be done then. I'm not sure they can publish the patch in OBS during the embargo, though, so it's a tricky thing. But integration testing should be done during the embargo, and the only thing left to do when the embargo finishes is publish to the updates repo that marcus hinted to. Then, you get two results: building against the latest snapshot, and current Factory. If current factory blows, that doesn't stop them from publishing snapshot. And if you get updated QA runs of snapshot, so you know if things blow. I believe the trickiest part is respecting the embargo, that's something the security team knows how to resolve I think (they already do it for released versions)
What I mean is, that thread saying bash patches weren't applied to Factory because then Gnome would be included and it was broken... wasn't that what rings were about preventing?
You misunderstood something here: the new GNOME stack was not in Factory at the time of this reporting... there was still GNOME 3.12 from March. 'something' else happened to sneak through the openQA process which did not trigger the various desktops to fail there (and it was not only GNOME; G just was less random in getting a failure to be seen).
So: while the broken stuff already WAS in Factory (not caught in the staging QA runs), bash entered as well.. publishing the state would have meant to knowingly publish a tree possibly breaking.
Yes, that's what I understood, just thought it was purely gnome, and it's a tricky state of affairs. That's why the update repo that applies against factory snapshot is an important thing IMHO. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org